ABA Bank Compliance - July/August 2014

Make testing all-encompassing

UDAAP of course covers everything a bank does: products, services, processes, behaviors, communications, responses, and so on. It doesn’t cover just one particular product type (such as consumer loans, as Reg. Z does) or fraud (like BSA does). UDAAP encompasses everything whether or not any other law or regulation addresses it. This also means UDAAP risk can be easily missed, since no testing may exist that may identify risk when looking for something else.

The expansiveness of UDAAP can be frustrating, but at the same time it can be liberating. Develop broad-based questions such as “Does the bank take measures to offer products that are appropriate for the consumer?” This one question can then be incorporated into testing each area of the bank where this issue comes into play: marketing, sales, customer service, call centers, and so forth.

Focus on underlying UDAAP concepts rather than specifics, and then apply those concepts to where the risk points are within the bank.

Apply testing in all functional areas
in the bank

This is really an offshoot of the point made above, but since UDAAP covers everything, implement testing everywhere in the bank, from product development, marketing and advertising, underwriting, fulfillment, servicing and collections, and everywhere else. Since UDAAP risk can lurk anywhere, identify where potential bad conduct could occur and assign appropriate testing.

There are very few areas where UDAAP testing would not be appropriate.

A couple areas deserve special mention.

One is Governance. Does the bank have
proper UDAAP awareness
and culture? Is there suf-
ficient understanding of
how critical the con-
cept is, and is that
apparent within senior management (and the Board), business
leaders, compliance and legal, and in other responsible areas?
Testing and audits should include evaluations of whether UDAAP
is important enough to the bank to even want to limit the risk.
Another is Product Development (in whatever form it exists
in a particular bank). UDAAP risk can be created or mitigated
right here, so testing the processes here should be extensive. Are
appropriate thought processes included, and are they consistent?
Are UDAAP issues taken into account when new products are
developed, or existing products changed?

Although UDAAP is more about acts and practices than products and services, it is clear that particular financial products generate increased UDAAP risk simply because of what they are. Examples are ancillary (or add-on) products, complex loan products, and specific products such as overdraft protection and identity theft prevention. Testing should devote increased attention to these due simply to their risky profile and the attention they’re bound to get from examiners.

The third, and possibly most important, area to consider is Vendor and Third Party Management. This is a topic unto itself, but a reading of UDAAP-related enforcement actions makes it clear that unacceptable behavior often comes from third parties rather than the bank. Testing must evaluate whether the bank imposes sufficient monitoring and control over third party conduct that impacts consumers. Behaviors must not be minimized or excused, or risks lessened, because they didn’t originate from the bank. Testing must be just as stringent as that done within the bank, if not more so.

Test processes

This follows the theme that since UDAAP focuses on acts and practices, testing should reflect where risk might occur. The concern isn’t as much what is delivered (although that can’t be ignored, as discussed above), but how it is delivered, wherever in the bank that might be.

These are process-based issues, and compliance testing and audit questions should reflect this focus. This concept is also applicable to how risk assessments are performed, which makes sense since testing and audit are critical detective (and some cases preventive) controls designed to mitigate UDAAP risk.

Examples of process-based questions (that could be asked in one or multiple places within the bank) include:

■ ■ ■ How is information communicated?

■ ■ ■ Is critical information conspicuous or buried?

■ ■ ■ Is fairness considered during product development?

■ ■ ■ Are incentives designed to avoid encouraging inappropriate sales?

■ ■ ■ Are collections and loss mitigation offered in a way to provide value to distressed borrowers?

Focus on all the processes that exist throughout lifecycle of financial products. Again this is different than technical compliance, where laws and regulations tend to apply to narrow aspects. However, when dealing with an all-encompassing principle that applies to everything the bank does, identifying where UDAAP may occur (anywhere and everywhere) suggests more of a process focus.